Enterprise AI Compliance Consulting
Regulatory readiness for AI — EU AI Act, ISO 42001, NIST AI RMF, UK AI Principles. Audit-ready governance, regulator-grade documentation.
Hexalink TrueNorth
TrueNorth — AI compliance advisory you can hand to a regulator
Hexalink TrueNorth is the AI compliance service line for UK and EU organisations with regulatory exposure on their AI systems. We classify your AI estate against the applicable frameworks, draft the governance and policy documentation, and produce the audit trail your General Counsel and Audit Committee need.
TrueNorth focuses on compliance posture — what regulators expect to see. Compass (separate service line) focuses on transformation prioritisation — what to AI-transform in the first place. Most organisations need both, sequenced.
How TrueNorth works — three phases
A structured engagement from AI inventory through policy drafting to audit-ready posture.
AI Inventory & Risk Classification
Output · AI risk inventory
Discover and catalogue every AI system across the estate. Classify each system against EU AI Act risk tiers (unacceptable / high / limited / minimal) and NIST AI RMF risk functions. Produces a defensible inventory before any policy work.
Policy & Governance Documentation
Output · Policy & governance pack
Draft acceptable-use, governance, and risk-management policies. Define roles, responsibilities, oversight structures, escalation paths, and decision rights. Mapped to ISO 42001 controls and NIST AI RMF functions.
Audit-Readiness Review
Output · Compliance posture report
Map controls to ISO 42001 / NIST AI RMF / EU AI Act conformity requirements. Produce the supervisory documentation, evidence trail, and gap-closure roadmap your General Counsel and Audit Committee need.
What you get
Three engagement sizes — each scopes which phases are included and at what depth.
TrueNorth Diagnostic
Phase 1 + scoped Phase 2
Single business unit assessment with risk classification and a short policy draft. Entry SKU for an initial regulatory baseline.
TrueNorth Programme
Full Phase 1 + Phase 2 + Phase 3
Enterprise-wide compliance baseline across the whole AI estate. Full policy pack, governance framework, and audit-ready posture. Core SKU.
TrueNorth Subscription
Phase 1 + 2 + 3 on quarterly cadence
Multi-entity ongoing compliance with quarterly re-baseline and policy updates as regulations evolve. Annuity SKU.
Frameworks we work with
Deep expertise across the regulatory and standards landscape for AI governance — the ones your auditors will actually ask about.
EU AI Act
Risk-tier classification, conformity assessment scoping, and a phased path to compliance with the EU's landmark AI regulation.
UK AI Principles
Alignment with the UK's pro-innovation framework — safety, transparency, fairness, accountability, contestability — across your AI systems.
ISO 42001
AI management system gap analysis and implementation plan, anchored to the ISO 42001 standard.
NIST AI RMF
Map · Measure · Manage · Govern. Structured AI risk management using the NIST AI Risk Management Framework.
What lands on your desk
Four concrete outputs you can hand to a regulator, audit committee, or General Counsel.
AI Risk Inventory
Every AI system in scope classified against EU AI Act tiers, ISO 42001 controls, and NIST AI RMF functions. Living document, owned by you.
Policy & Governance Pack
Acceptable-use, risk-management, and governance policies — drafted, reviewed, ready for board approval. Includes RACI matrix and escalation paths.
Compliance Roadmap
Prioritised, time-bound milestones to close gaps and reach audit-ready posture — sequenced by regulatory deadline and risk exposure.
Supervisory Pack
Documentation evidence trail — risk classifications, conformity rationale, oversight records — ready for regulator inspection or audit committee review.
Why TrueNorth is different: regulator-grade, activity-level, vendor-neutral
Regulator-grade, not theory-grade
Output is what your General Counsel hands to a regulator. Policies are board-ready. Risk classifications are defensible. The documentation survives external audit, not just internal review.
Activity-level risk classification
Each AI system classified individually against the applicable risk tier — not blanket policy applied to everything. Risk is concentrated where it actually lives.
Advisory-only, vendor-neutral
No downstream tooling, no compliance-as-a-service lock-in. The recommendation is independent of any vendor relationship — which is why audit committees and regulators take it seriously.
Compliance posture pack, published
The TrueNorth compliance posture documentation — policy templates, governance framework, risk classification matrix, and audit-readiness checklist — is documented in full. Available on request to qualified enterprise buyers under NDA.
Request the packWho TrueNorth is for
Four buyer segments, each with a specific use of the TrueNorth deliverables.
General Counsel & Compliance Officers
A regulator-ready compliance posture across EU AI Act, UK AI Principles, ISO 42001, and NIST AI RMF — with the documentation trail to back it up.
CIOs & Chief AI Officers
An inventory and risk-classification of every AI system in the estate, plus a roadmap that turns regulatory ambiguity into operating practice.
Boards & Audit Committees
Quarterly board-grade scorecards on AI risk exposure, with risk-tier flagging for unacceptable failure modes and clear accountability paths.
Internal Audit
Control mappings against ISO 42001 / NIST AI RMF — ready to be reviewed alongside your existing IT audit programme. Saves weeks of evidence collection.
Book a TrueNorth scoping call
A 30-minute call to map your AI estate, identify the applicable regulatory regimes, and decide which TrueNorth SKU fits — Diagnostic, Programme, or Subscription.
Book a callFrequently asked
Have a specific regulator question? Talk to us
v1.1 · May 2026 · Hexalink Ltd × Novoflux